The Importance of Managing Information Security from a CEO Perspective

by Edward E. Crutchfield, Former Chairman and CEO of First Union Corporation

During my 16-year tenure as CEO of First Union, I was constantly focused on increasing shareholder value. In the highly competitive financial services industry, this typically equated to the necessity to continually create a strong competitive advantage over the thousands of institutions targeting our customers and prospects. Never was this task more difficult than over the last 10 years. During this time, the financial product lines became blurred; and we had to face additional competition from brokerages, insurance companies and other non-traditional banking institutions. At the same time, we had to grow our product lines into their traditional markets and compete with them on their turf. On top of these factors came the birth of the Internet, bringing with it new opportunities, as well as risks. This was when I really began to understand how important information security was to my company and its ability to compete in the new millennium.

Some companies continue to take the "insurance stance" and view information security as a cost of doing business. The reasons for this view are obvious. Unlike many of the technologies deployed, security investments cannot be measured in terms of ROI. Asking our CIO to provide this would have resulted in many hours of wasted time by our security team. In contrast, I have always held the opposite view that security is, in fact, a business enabler that provides companies with a true competitive advantage.

Shareholder value is driven by competitive advantage, which, in turn, drives customer acquisition and retention. In the financial services industry, acquiring and retaining customers basically depends on how well you service them and how much they trust your organization with their money. Information security is critical to delivering the best service you can deliver, while reinforcing the perception of trust.

Customer service really comes down to availability. Are you there for your customers when they need you? If not, they will go elsewhere. Nowhere is this more apparent than in the financial services industry where customers have thousands of institutions vying for their business. I realized that with the emergence of ATM networks and the Internet, we would be bringing more and more of our services online. This meant we needed to make sure our network services were available 24X7 so that we would be there anytime our customers needed us. In order to effectively achieve 24X7 availability, we needed a sound technology infrastructure coupled with an effective security program.

This truth became all the more apparent when the Slammer outbreak hit the Internet in January 2003. I remember reading stories about a major bank's ATM network being taken down from this incident. These stories made me cringe as I thought about the consequences. Many of their customers were without cash when they needed it. The event illustrates the fact that information security plays an important role in availability. Simply deploying the best infrastructure may leave your organization with the best unavailable systems in your industry.

A more intangible, but equally important benefit of information security is creating the perception of trust. Obviously trust is of utmost importance in the financial industry, but it is also an important component of any successful brand. Customers will always be more willing to conduct business with an organization that they trust. The Internet has placed even more importance on trust across all industries since customers now do business in a much less personal manner. Reestablishing trust once the bond is lost between you and your customer is extremely difficult to achieve. This is illustrated in a recent study by Ernst & Young (Mark Doll, SC Magazine, June 2003 "Learning the Language of CEOs") that studied the effects of 22 publicly reported security events. According to the study, the average drop in share price within the first 3 days was 5.6%, eroding $15 - $20 million of shareholder value. This study demonstrates that shareholders recognize that these events result in lost trust, which has the ultimate effect of lost revenue.

At First Union, my primary concern was increasing shareholder value by constantly gaining competitive advantages over the thousands of institutions trying to acquire our customers and prospects. A well-managed information security program provides competitive advantage by positively affecting customer acquisition and retention, which is the cornerstone to any business' ability to generate revenue. Without a solid information security program we would have never been able to transition our competitive advantages to the networked world. CEOs that conduct business online must view information security as a business enabler and not a cost of doing business. Not to view security in this way will inhibit their ability to grow their company to its full potential.

When the Worst Happens

by Fred Avolio, Avolio Consulting, Inc.

My last column discussed how to prepare for the worst when a computer security "incident" occurs. We know that preparation is not the same as prevention, but the two go hand-in-hand if you are to successfully minimize the damage from an incident. This column will focus on providing an overview of the Computer Security Incident Response Team (CSIRT) in action.

Signs you've been attacked

Signs of an attack are varied. Sometimes it is obvious: the attacker calls - either to be a "hero," to brag about it, or for extortion; Internet access all but disappears under a denial of service attack; or perhaps your web site now sports pictures of naked people. Often they are not so obvious: your intrusion detection system indicates anomalous behavior, for example. Or they may just be indicators, such as system crashes, new user accounts, new files and folders or missing ones, or strange entries in log files.

Often, users are among the first to notice abnormalities. Therefore, all users should know what to do should they receive an attacker's phone call or notice that something is not right. You should train all employees to write things down on paper and sign and date the page, as most people do not remember that they tend to forget things.

Responding to an Incident

After some quick assessment, the CSIRT leader declares an incident and calls the team. All CSIRT meetings start the same: with a reminder of the need for confidentiality and record keeping. The CSIRT is not going to cover it up, but strives for a combination of right communication and right time.

The CSIRT keeps records in a notebook with numbered pages and the recording secretary will date and sign the pages. By now you are getting the idea: this is serious stuff and if you want to take someone to court, you had better do things in a way that will help rather than bog down any case you may try to make against the attacker.

At some point, the incident - if big enough - will be public. The media relations person on the team will be the only one to talk to the media, because she knows what to say and how to say it.

Additionally, and this is really important, everyone else in the company should be aware that only this person discusses incidents with the media. That way everyone else will know to say, "Let me transfer you to Judy Jones. She can help you with that." This is so much better than, "We got hacked or something. There are FBI guys everywhere, people are panicking."

Securing the Crime Scene

The CSIRT - or someone under its direction - will secure the crime scene, which may be the data center, individual servers, or users' PCs. There are usually many crime scenes, so apply these examples to every one of them.

Remember that we are dealing with latent evidence - evidence that is "present or potential, but not evident." [www.dictionary.com] Like fingerprints, it may be there but it must be discovered, and may be easily altered, damaged, or destroyed.

Two people should gather the evidence. One will take notes (or pictures) and verify what the other does, before he does it. We want to disturb as little as possible. For a computer, for example, it means knowing first what not to do. Do not run shutdown, do not make backups (you should have done that yesterday) and do not open or alter any log files. Do act calmly. Do think clearly. Do follow your written Incident Response Procedures.

Observe. Is the screen lit? If not, touch the "Shift" key or carefully and slightly move the mouse. Photograph and write down what you see on the screen. Write down what you hear. Almost always at this point you will, and this is going to sound crazy, shut the computer by pulling the power cord from the back of the computer (not from the wall, as you want to make sure you've got the right one). It should be noticeably quieter.

Now, record everything you can about the computer including model, make, and serial number. Disconnect all the cables, labeling which ones went where, and place tape over the sockets. Again, take photos and write down everything you do.

If the evidence is in logs on various servers, you need not shut them all down (your ISP will be pleased to know this), but whomever makes copies of the logs must be just as meticulously careful. Keep it simple, document everything, and do not alter anything, as far as you are able. Finally, store all evidence in a secured container or location. Log if and when the evidence changes hands as it is important to establish a clear chain of custody. Always think, "I may have to testify in court."

Data Recovery and Investigation

Some readers were waiting for this sexy part of the discussion, and I am sorry to disappoint. Someone with experience, someone who does this every week for example, should recover the data and investigate the incident. All FBI field offices have expertise in computer forensics. Some local law enforcement does as well. Or your managed security service provider can help.

Last steps

After a real incident, have a team meeting when it is over to discuss what worked and what has to be changed. The lessons you learn from each incident will make you more effective in dealing with future incidents. This is all very involved, which is why it is vital to drill and test the procedures under a mock attack.

Resources

CERT CSIRT

RFC 2196, Site Security Handbook

U.S. Department of Justice, Office of Justice Programs, National Institute of Justice Electronic Crime Scene Investigation: A Guide for First Responders

RFC 2350, "Expectations for Computer Security Incident Response"

SOC War Story: Protecting Critical Information Against Corporate Espionage

Business Problem

Information Security is not about protecting technology. It's about protecting the business. Vulnerable systems, poorly configured access privileges, disgruntled employees and the proliferation of network entry points provide the opportunity for confidential information to be leaked to competitors. Often the attacks that result in theft of proprietary information are undetectable by security technology as they leverage legitimate behavior. The only way to discover and stop these damaging attacks is to monitor the security infrastructure and critical information assets in real-time, 24X7.

At 11:30 on a Saturday evening, SecureWorks' Security Analysts received an alert originating from a Medical Research client's network. The alert itself merely described a legitimate "ID" event on a Unix system. However, because the command returned "root" and the time of occurrence, SecureWorks' Security Analysts deemed the event suspicious and began investigating. This event proved to be the start of an attempt to steal proprietary information.

Solution

SecureWorks monitors and analyzes alerts and log events that occur across this client's IT security infrastructure 24X7X365 in order to uncover these high-threat incidents from the masses of innocuous events. As soon as they received the "ID" event at 11:30 on a Saturday evening, SecureWorks' Security Analysts immediately took action according to the Incident Handling Process. The level of urgency was raised when the Analysts discovered that the client used the compromised system to host discussion groups about their medical research. The Intrusion Analysts immediately contacted the client, letting them know that sensitive data was potentially at risk and that they may need to take the system offline.

The Intrusion Analysts diligently watched the intruder's activities, making sure they did not attempt to read, write or copy any critical data. The intruder apparently had other plans and saw this server as more of an entrance point than a final target. This was verified as the Intrusion Analysts witnessed the intruder installed 2 programs and then carefully cover their tracks by cleaning up log file entries, all logged by SecureWorks.

"Without SecureWorks' Security Analysts continuously monitoring our critical information assets, we would not have detected this dangerous situation until well after the damage had been done," said VP of Information Security at the Medical Research client. "As this incident demonstrated, SecureWorks is able to mitigate the risk to our information assets in real-time without disrupting our business."

Upon examining the files, the Intrusion Analysts discovered that one program was an SSH backdoor enabling the intruder to return to the system at will. The other program was designed to log all usernames and passwords entered in the system. Since many of the client's employees and customers used the system to discuss the latest research, this host would have provided the intruder with a variety of authentication information. The intruder could then use this information to gain access to other, more sensitive systems. Additional forensics discovered the intruder was able to gain access by exploiting an Apache vulnerability. Coincidentally, this system was certified by a 3rd party Audit firm weeks before the incident, demonstrating that you must constantly monitor systems to truly achieve effective information security.